{"id":"CVE-2019-18466","details":"An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.","aliases":["GHSA-r34v-gqmw-qvgj","GO-2023-1942"],"modified":"2026-04-10T04:16:38.118908Z","published":"2019-10-28T13:15:11.430Z","related":["SUSE-SU-2020:0697-1","openSUSE-SU-2020:0398-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00040.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4269"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1744588"},{"type":"FIX","url":"https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e"},{"type":"FIX","url":"https://github.com/containers/libpod/compare/v1.5.1...v1.6.0"},{"type":"EVIDENCE","url":"https://github.com/containers/libpod/issues/3829"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/containers/libpod","events":[{"introduced":"0"},{"fixed":"b02b072832cac26d7cc468d713303843d2935a36"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.6.0"}]}},{"type":"GIT","repo":"https://github.com/containers/podman","events":[{"introduced":"0"},{"fixed":"5c09c4d2947a759724f9d5aef6bac04317e03f7e"}]}],"versions":["v0.2","v0.2.1","v0.8.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18466.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}